The central network configuration is located in ''/​etc/​config/​network''​.

+

The central network configuration is located in the file ''/​etc/​config/​network''​. ​This configuration file is responsible for defining //switch VLANs//, //interface configurations//​ and //network routes//. After editing and saving ''/​etc/​config/​network''​ you need to execute ​<​code>​/etc/init.d/network reload</​code>​ to stop and restart the network before any changes take effect. Rebooting the router is not necessary.

The ''​switch''​ section is responsible for partitioning the switch into several //VLANs// which appear as independent interfaces in the system although they share the same hardware. **Not every OpenWrt supported device (or architecture,​ like x86) has a programmable switch**, therefore this section might not be present on some platforms. Please also note, that some switches only support 4Bit-VLANs.

-

The ''​switch''​ section is responsible for partitioning the switch into several //VLANs// which appear as independent interfaces in the system although they share the same hardware. Not every OpenWrt supported device has a programmable switch, therefore this section might not be present on some platforms.

+

There are currently two different configuration formats in use, one for the legacy ''/​proc/​switch/''​ API and one for the newer ''​[[doc/techref/swconfig|swconfig]]''​-based switch ​configuration.

-

+

-

There are currently two different configuration formats in use, one for the legacy ''/​proc/​switch/''​ API and one for the newer //swconfig// based switch ​infrastructure.

+

=== /​proc/​switch ===

=== /​proc/​switch ===

-

+

This variant is actually ​only found on Broadcom devices like the WRT54GL.

-

This variant is only found on Broadcom devices like the WRT54GL.

+

A typical configuration for it looks like this:

A typical configuration for it looks like this:

Line 72:

Line 39:

=== swconfig ===

=== swconfig ===

+

The newer ''​[[doc/​techref/​swconfig|swconfig]]''​-framework is intended to replace the legacy switch configuration.

-

The newer //​swconfig//​ framework is intended to replace the legacy switch configuration.

//​Swconfig//​ based configurations ​have a different structure with one extra section per vlan.

+

The example below shows a typical configuration:​

The example below shows a typical configuration:​

<​code>​config '​switch'​ '​eth0'​

<​code>​config '​switch'​ '​eth0'​

Line 95:

Line 59:

Common properties are defined within the ''​switch''​ section; vlan specific properties are located in additional ''​switch_vlan''​ sections linked to the ''​switch''​ section through the ''​device''​ option.

Common properties are defined within the ''​switch''​ section; vlan specific properties are located in additional ''​switch_vlan''​ sections linked to the ''​switch''​ section through the ''​device''​ option.

The complete layout is explained in the [[doc:​uci:​network::​switch|switch documentation]].

The complete layout is explained in the [[doc:​uci:​network::​switch|switch documentation]].

-

==== Interfaces ====

+

+

==== Interfaces ====

Sections of the type ''​interface''​ declare logical networks serving as containers for IP address settings, [[doc:​uci:​network#​aliases|aliases]],​ [[doc:​uci:​network#​ipv4.routes|routes]],​ physical interface names and [[doc:​uci:​firewall#​zones|firewall rules]] - they play a central role within the OpenWrt configuration concept.

Sections of the type ''​interface''​ declare logical networks serving as containers for IP address settings, [[doc:​uci:​network#​aliases|aliases]],​ [[doc:​uci:​network#​ipv4.routes|routes]],​ physical interface names and [[doc:​uci:​firewall#​zones|firewall rules]] - they play a central role within the OpenWrt configuration concept.

Depending on the used //interface protocol// several other options may be required for a complete interface declaration.

Depending on the used //interface protocol// several other options may be required for a complete interface declaration.

The corresponding options for each protocol are listed below. Options marked as "​yes"​ in the "​Required"​ column //must// be defined in the interface section if the corresponding protocol is used, options marked as "​no"​ //may// be defined but can be omitted as well.

The corresponding options for each protocol are listed below. Options marked as "​yes"​ in the "​Required"​ column //must// be defined in the interface section if the corresponding protocol is used, options marked as "​no"​ //may// be defined but can be omitted as well.

+

+

:!: In openwrt 12.09, if an interface section has no protocol defined (not even ''​none''​ ), the other settings are completely ignored. The result is that, if the interface section is mentioning a physical network interface (i.e. eth0), this will be down even if a cable is connected (with proto '​none'​ the interface is up). (could be that more testing is needed) ​

=== Options valid for all protocol types ===

=== Options valid for all protocol types ===

Line 131:

Line 108:

^ Name ^ Type ^ Required ^ Default ^ Description ^

^ Name ^ Type ^ Required ^ Default ^ Description ^

| ''​ifname''​ | interface name(s) | yes(*) | //(none)// | Physical interface name to assign to this section, list of interfaces if type bridge is set.\\ //(*) This option may be empty or missing if only a wireless interface references this network or if the protocol type is ''​pptp'',​ ''​pppoa''​ or ''​6in4''//​ |

| ''​ifname''​ | interface name(s) | yes(*) | //(none)// | Physical interface name to assign to this section, list of interfaces if type bridge is set.\\ //(*) This option may be empty or missing if only a wireless interface references this network or if the protocol type is ''​pptp'',​ ''​pppoa''​ or ''​6in4''//​ |

-

| ''​type''​ | string | no | //(none)// | If set to "​bridge",​ a bridge containing the given //ifnames// is created |

+

| ''​type''​ | string | no | //(none)// | If set to "​bridge",​ a bridge containing the given //ifnames// is created\\ [[https://​forum.openwrt.org/​viewtopic.php?​pid=203784#​p203784|Wlan interface names are not predictable,​ therfore you cannot reference them directly in the network config]] ​|

| ''​ipaddr''​ | ip address | yes, if no ''​ip6addr''​ is set. | //(none)// | IP address. [openwrt 12.09] It could be a list of ipaddr , that is: several ipaddresses will be assigned to the interface. If, instead of a list, several ipaddr are specified as options, only the last is applied. ​|

| ''​ip6assign''​ | prefix length | no | //(none)// | Delegate a prefix of given length to this interface (Barrier Breaker and later only) |

+

| ''​ip6assign''​ | prefix length | no | //(none)// | Delegate a [[[[network6#​downstream.configuration.for.lan-interfaces|prefix of given length]] to this interface ​(Barrier Breaker and later only) |

| ''​ip6hint''​ | prefix hint (hex) | no | //(none)// | [[network6#​downstream.configuration.for.lan-interfaces|Hint the subprefix-ID]] that should be delegeted as hexadecimal number ​(Barrier Breaker and later only) |

| ''​force_link''​ | integer | no | ''​0''​ | Specifies whether ip address, route, and optionally gateway are assigned to the interface regardless of the link being active ('​1'​) or only after the link has become active ('​0'​);​ in trunk since the introduction of netifd; in case of a wireless interface the default is '​1'​ for an AP and '​0'​ for a STA. |

**Note:** To automatically configure 6rd from dhcp you need to create an interface with ''​option auto 0''​ and put its name as the '​iface6rd'​ parameter. In addition you also need to add its name to a suitable firewall zone in /​etc/​config/​firewall.

+

+

:!: It seems that if an interface is configured as dhcp client, at least on OpenWrt 10.03, the default route received by dhcp

+

will be the only one listed and will remove other default route/​metrics defined for other interfaces if those interfaces comes "​before"​ the interface with dhcp in terms of "​ifname"​ values. For example:

+

<​code>​

+

config interface wan

+

option ifname eth0

+

option proto static

+

..other options..

+

​

+

config interface wan2

+

option ifname eth1

+

option proto dhcp

+

..other options..

+

</​code>​

+

The interface with dhcp comes after (because eth1 comes after eth0 in a lexicografical order)

+

and will overwrite the default routes set up by the interface "​wan"​. While is not true the contrary.

+

If we have:

+

<​code>​

+

config interface wan

+

option ifname eth0

+

option proto dhcp

+

..other options..

+

​

+

config interface wan2

+

option ifname eth1

+

option proto static

+

..other options..

+

</​code>​

+

Both default routes set up by wan and wan2 will appear in the routing table.

| ''​reqprefix''​ | [auto,​no,​0-64] | no | auto | Behaviour for requesting prefixes (numbers denote hinted prefix length). Use '​no'​ if you only want a single IPv6 address for the AP itself without a subnet for routing ​|

**Note:** To automatically configure ds-lite from dhcpv6 you need to create an interface with ''​option auto 0''​ and put its name as the '​iface_dslite'​ parameter. In addition you also need to add its name to a suitable firewall zone in /​etc/​config/​firewall.

**Note:** This protocol type does not need an ''​ifname''​ option set in the interface section. The interface name is derived from the section name, e.g. ''​config interface sixbone''​ would result in an interface named ''​6in4-sixbone''​.

**Note:** This protocol type does not need an ''​ifname''​ option set in the interface section. The interface name is derived from the section name, e.g. ''​config interface sixbone''​ would result in an interface named ''​6in4-sixbone''​.

+

**Note:** HE.net has introduced updatekey as default for new tunnels in February 2014. Support added to Openwrt trunk by r39646.

+

+

**Note:** as of r41358 **username**,​ **password** and **updatekey** are all plaintext entries.

**Note:** This protocol type does not need an ''​ifname''​ option set in the interface section. The interface name is derived from the section name, e.g. ''​config interface sixbone''​ would result in an interface named ''​aiccu-sixbone''​.

| ''​adv_interface''​ | string | no | ''​lan''​ | The //logical interface name// of the network the subnet should be advertised on. Multiple interface names can be given. |

-

| ''​adv_subnet''​ | hex number | no | ''​1''​ | A subnet ID between ''​1''​ and ''​FFFF''​ which selects the advertised /64 prefix from the mapped 6to4 space. The subnet ID is incremented by 1 for every interface specified in ''​adv_interface''​. ​ |

| ''​adv_interface''​ | string | no | ''​lan''​ | (deprecated) The //logical interface name// of the network the subnet should be advertised on. Multiple interface names can be given. |

+

| ''​adv_subnet''​ | hex number | no | ''​1''​ | (deprecated) A subnet ID between ''​1''​ and ''​FFFF''​ which selects the advertised /64 prefix from the mapped 6to4 space. The subnet ID is incremented by 1 for every interface specified in ''​adv_interface''​. ​ |

**Note:** This protocol type does not need an ''​ifname''​ option set in the interface section. The interface name is derived from the section name, e.g. ''​config interface wan6''​ would result in an interface named ''​6to4-wan6''​. \\

**Note:** This protocol type does not need an ''​ifname''​ option set in the interface section. The interface name is derived from the section name, e.g. ''​config interface wan6''​ would result in an interface named ''​6to4-wan6''​. \\

-

**Note:** If [[doc:​uci:​radvd|radvd]] is installed and enabled, the 6to4 scripts will add a temporary prefix and interface declaration to the //radvd// uci configuration and perform a daemon restart if required.

+

**Note:** If [[doc:​uci:​radvd|radvd]] is installed and enabled, the 6to4 scripts will add a temporary prefix and interface declaration to the //radvd// uci configuration and perform a daemon restart if required. ​(deprecated)

-

=== Protocol "l2tp" (L2TP Pseudowire Tunnel) ===

+

=== Protocol "6rd" (IPv6 rapid deployment) ===

-

:!: The package ''​l2tpv3tun''​ must be installed to use this protocol.\\

**Note:** This protocol type does not need an ''​ifname''​ option set in the interface section. The interface name is derived from the section name, e.g. ''​config interface wan6'' ​would result in an interface named ''​6rd-wan6''​.

**Note:** Some ISP's give you the number of bytes you should use from your WAN IP to calculate your IPv6 address. ip4prefixlen expects the //prefix// bytes of your WAN IP to calculate the IPv6 address. So if your ISP gives you 14 bytes to calculate, enter 18 (32 - 14).

**Note:** This protocol type does not need an ''​ifname''​ option set in the interface section. The interface name is derived from the section name, e.g. ''​config interface wan''​ would result in an interface named ''​dslite-wan''​.

| {{:​meta:​icons:​tango:​48px-outdated.svg.png?​nolink}} | The "​config alias" approach is //​deprecated//​. it used to be needed when multiple interfaces sharing the same device where not supported. [[https://​forum.openwrt.org/​viewtopic.php?​pid=203943#​p203943|JoW]] |

//Alias// sections can be used to define further IPv4 and IPv6 addresses for interfaces.

//Alias// sections can be used to define further IPv4 and IPv6 addresses for interfaces.

Line 413:

Line 608:

ip addr

ip addr

+

:!: This "​old"​ way works, at least, for OpenWrt 10.03.1 and 12.09.

+

=== Aliases: the new way ===

+

+

Basically create an '​interface'​ section per IP, but alias interfaces may NOT be of type bridge

+

+

* For non-bridged interfaces (physdev , that is physical interfaces) the ''​ifname''​ is the <​interface-of-network-for-same-phydev>​

+

* For cases where the interface is bridged the ''​ifname''​ is br-''​base-interface'',​ where ''​base-interface''​ is the name of the primary IP's config section (e.g. for a the default lan interface config, the first alias would use ifname br-lan).

+

+

A minimal alias definition for a bridged interface might be (for a scenario without vlans):

+

<​code>​config interface lan

+

option '​ifname'​ '​eth0'​

+

option '​type'​ '​bridge'​

+

option '​proto'​ '​static'​

+

option '​ipaddr'​ '​192.168.1.1'​

+

option '​netmask'​ '​255.255.255.0'</​code>​

+

+

<​code>​config interface lan2

+

​option '​ifname'​ '​br-lan'​

+

​option '​proto'​ '​static'​

+

​option '​ipaddr'​ '​10.0.0.1'​

+

​option '​netmask'​ '​255.255.255.0'</​code>​

+

+

or for a non-bridge interface

+

<​code>​config interface lan

+

option '​ifname'​ '​eth0'​

+

option '​proto'​ '​static'​

+

option '​ipaddr'​ '​192.168.1.1'​

+

option '​netmask'​ '​255.255.255.0'</​code>​

+

+

<​code>​config interface lan2

+

​option '​ifname'​ '​eth0'​

+

​option '​proto'​ '​static'​

+

​option '​ipaddr'​ '​10.0.0.1'​

+

​option '​netmask'​ '​255.255.255.0'</​code>​

+

+

To see a list of interfaces you can do ''​ubus list network.interface.*''​ and to view the ip of a particular interface (the UCI name not the physical interface), do ''​ifstatus <​interface>''​ (e.g. ''​ifstatus lan2''​).

+

+

:!: Does not work on OpenWRT 10.03.x .

+

+

=== Aliases: notes ===

+

On openwrt 12.09, a lan interface that is first defined as dhcp interface ​

+

and then has aliases with static ip address could cause problems ​

+

in routing the lan traffic through the wan zone using the basic lan-wan forwarding provided by openwrt. ​

+

A solution is: having the basic interface with static address and aliases with dhcp protocol.

==== IPv4 Routes ====

==== IPv4 Routes ====

Line 439:

Line 678:

| ''​metric''​ | number | no | ''​0''​ | Specifies the //route metric// to use |

| ''​metric''​ | number | no | ''​0''​ | Specifies the //route metric// to use |

| ''​table''​ | routing table | no | //(none)// | Defines the table ID to use for the route. The ID can be either a numeric table index ranging from 0 to 65535 or a symbolic alias declared in /​etc/​iproute2/​rt_tables. The special aliases local (255), main (254) and default (253) are recognized as well |

| ''​table''​ | routing table | no | //(none)// | Defines the table ID to use for the route. The ID can be either a numeric table index ranging from 0 to 65535 or a symbolic alias declared in /​etc/​iproute2/​rt_tables. The special aliases local (255), main (254) and default (253) are recognized as well |

| ''​local''​ | the destinations are assigned to this host. The packets are looped back and delivered locally. |

+

| ''​broadcast''​ | the destinations are broadcast addresses. The packets are sent as link broadcasts. |

+

| ''​multicast''​ | a special type used for multicast routing. ​ It is not present in normal routing tables. |

+

| ''​unreachable''​ | these destinations are unreachable. Packets are discarded and the ICMP message host unreachable is generated. The local senders get an EHOSTUNREACH error. |

+

| ''​prohibit''​ | these destinations are unreachable. Packets are discarded and the ICMP message communication administratively prohibited is generated. The local senders get an EACCES error. |

+

| ''​blackhole''​ | these destinations are unreachable. Packets are discarded silently. The local senders get an EINVAL error. |

+

| ''​anycast''​ | the destinations are anycast addresses assigned to this host. They are mainly equivalent to local with one difference: such addresses are invalid when used as the source address of any packet. |

| ''​mark''​ | mark/mask | no | //(none)// | Specifies the //fwmark// and optionally its mask to match, e.g. ''​0xFF''​ to match mark 255 or ''​0x0/​0x1''​ to match any even mark value |

+

| ''​invert''​ | boolean | no | ''​0''​ | If set to ''​1'',​ the meaning of the match options is inverted |

+

| ''​priority''​ | integer | no | //​(incrementing)//​ | Controls the order of the IP rules, by default the priority is auto-assigned so that they are processed in the same order they'​re declared in the config file |

+

| ''​lookup''​ | routing table | at least one of | //(none)// | The rule target is a table lookup, the ID can be either a numeric table index ranging from ''​0''​ to ''​65535''​ or a symbolic alias declared in ''/​etc/​iproute2/​rt_tables''​. The special aliases ''​local''​ (''​255''​),​ ''​main''​ (''​254''​) and ''​default''​ (''​253''​) are recognized as well |

==== listing an interface created by software on the router, like vpn ====

+

For example, a vpn interface is normally "​tun0"​. To list it in the uci config files (and therefore in luci):

+

<​code>​

+

config interface '​tun0'​

+

option ifname '​tun0'​

+

option proto '​none'​

+

</​code>​

==== Static IPv6-in-IPv4 tunnel ====

==== Static IPv6-in-IPv4 tunnel ====

Line 649:

Line 1003:

option '​forward' ​ '​ACCEPT' ​ # Important

option '​forward' ​ '​ACCEPT' ​ # Important

option '​output' ​ '​ACCEPT'</​code>​

option '​output' ​ '​ACCEPT'</​code>​

+

+

==== Static addressing of a GRE tunnel ====

+

+

Create a GRE tunnel with static address 10.42.0.253/​30,​ adding it to an existing firewall zone called ''​tunnels'':​

+

+

<​code>​

+

config interface mytunnel ​

+

option proto gre ​

+

option zone ​tunnels ​ ​

+

option peeraddr 198.51.100.42 ​

+

​

+

config interface mytunnel_addr ​ ​

+

option proto static ​

+

option ifname ​ ​@mytunnel ​

+

option ipaddr ​ ​10.42.0.253 ​

+

option netmask ​ 255.255.255.252 ​

+

# Fixes IPv6 multicast (long-standing bug in kernel).

+

# Useful if you run Babel or OSPFv3.

+

option ip6addr ​ '​fe80::​42/​64'​

+

</​code>​

===== Network management =====

===== Network management =====

Line 659:

Line 1033:

In order to derive a Linux interface name like ''​eth1''​ from a logical network name like ''​wan''​ for use in scripts or tools like ''​ifconfig''​ and ''​route''​ the ''​uci''​ utility can be used as illustrated in the example below which opens port 22 on the interface.

In order to derive a Linux interface name like ''​eth1''​ from a logical network name like ''​wan''​ for use in scripts or tools like ''​ifconfig''​ and ''​route''​ the ''​uci''​ utility can be used as illustrated in the example below which opens port 22 on the interface.

-

<​code>​WANIF=$(uci -P/​var/​state get network.wan.ifname)

+

<​code ​bash>

-

iptables -I INPUT -i $WANIF -p tcp --dport 22 -j ACCEPT</​code>​

+

WANIF=$(uci -P/​var/​state get network.wan.ifname)

+

iptables -I INPUT -i $WANIF -p tcp --dport 22 -j ACCEPT

+

</​code>​

+

+

The uci state vars are deprecated and not used anymore for network related information [[https://​forum.openwrt.org/​viewtopic.php?​pid=203787#​p203787|Quoting jow in the forum]].\\